Today I asked, looking for valid replies, some guys of the Rome PUG, about cool ways to authenticate a client over a REST architecture.

My constraints were:

we cannot use any kind of server-side session, ‘cause server must be stateless

we cannot use cookies, because they’re only implemented in HTTP

we must think at the resource to identify as a webpage ( this seems stupid, but when I ask for authentication in REST people usually think about authentication in a webservice: no, let’s think about any authentication system, like FaceBook’s login, which has to directly interact with a human )

and the obvious answer came out to be “client sends credentials at each request”.

Cool? No.

Why is this thing a crap?

Because, nowadays, that thing people use to interact with the server ( the browser, the creepy browser ) is unable to handle, by itself, the authentication.